CVE-2024-53150

설명

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier...

영향 제품·버전

공급사 Linux

제품 Kernel

영향 버전 b8e4f1fdfa422398c2d6c47bfb7d1feb3046d70a, 9feeaa50e5b4b0b71259d918a36ecf9059e60796, 3b17a13b687ae99939dc94a4ae01fbc34f68decc, 4.19.84, 5.3.11, 5.4, 11.0, < 5.4.287, >= 5.5 < 5.10.231, >= 5.11 < 5.15.174, >= 5.16 < 6.1.120, >= 6.2 < 6.6.64, >= 6.7 < 6.11.11, >= 6.12 < 6.12.2

수정 버전 5.4.287, 5.10.231, 5.15.174, 6.1.120, 6.6.64, 6.11.11, 6.12.2

조치 방법

• 공급사가 제공한 최신 보안 업데이트 적용
• 자사 보유 제품과 영향 버전의 일치 여부 확인
• 외부 노출 서비스와 비정상 인증·접속 로그 점검
• 패치가 어려우면 공급사 완화조치와 접근통제 적용

기술 정보

CVSS 벡터 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE CWE-125

KEV 등록일 2025.04.09

랜섬웨어 캠페인 사용 미확인

CISA 비고 This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. For more information, please see: https://lore.kernel.org/linux-cve-announce/2024122427-CVE-2024-53150-3a7d@gregkh/ ; https://source.android.com/docs/security/bulletin/2025-04-01 ; https://nvd.nist.gov/vuln/detail/CVE-2024-53150

EPSS 데이터 기준일 2026.06.27